Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.1162
sol35358312: TCP vulnerability CVE-2015-8099
11 May 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: F5 products
Publisher: F5 Networks
Operating System: Network Appliance
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2015-8099
Original Bulletin:
https://support.f5.com/kb/en-us/solutions/public/k/35/sol35358312.html
- --------------------------BEGIN INCLUDED TEXT--------------------
sol35358312: TCP vulnerability CVE-2015-8099
Security Advisory
Original Publication Date: 05/10/2016
Vulnerability Description
Under limited conditions, an invalid TCP segment can lead to a Denial
of Service for the High-Speed Bridge (HSB) on the following platforms:
3900, 6900, 8900, 8950, 11000, 11050, PB100 or PB200. This issue is only
exposed on virtual servers while Software SYN cookies are configured for
use and currently engaged. The scope of the exposure is limited to the
BIG-IP data plane. The access vector is network based and authentication
is not a requirement for attack. There is no control plane exposure to
this issue. (CVE-2015-8099)
Impact
Invalid TCP segment can lead to a Denial of Service (DoS) for BIG-IP
platforms that contain the High-Speed Bridge (HSB).
Security Issue Status
F5 Product Development has assigned ID 542314 (BIG-IP) and ID 558389
(BIG-IQ and Enterprise Manager) to this vulnerability, and has evaluated
the currently supported releases for potential vulnerability.
To determine if your release is known to be vulnerable, the components
or features that are affected by the vulnerability, and for information
about releases or hotfixes that address the vulnerability, refer to the
following table:
Product Versions known to be vulnerable Versions known to be not vulnerable Severity Vulnerable component or feature
BIG-IP LTM 12.0.0 12.0.0 HF1 Severe Virtual servers
11.6.0 11.6.1
11.5.0 - 11.5.3 11.5.4
11.3.0 - 11.4.1 11.4.1 HF10
11.0.0 - 11.2.1
10.1.0 - 10.2.4
BIG-IP AAM 12.0.0 12.0.0 HF1 Severe Virtual servers
11.6.0 11.6.1
11.5.0 - 11.5.3 11.5.4
11.4.0 - 11.4.1 11.4.1 HF10
BIG-IP AFM 12.0.0 12.0.0 HF1 Severe Virtual servers
11.6.0 11.6.1
11.5.0 - 11.5.3 11.5.4
11.3.0 - 11.4.1 11.4.1 HF10
BIG-IP Analytics 12.0.0 12.0.0 HF1 Severe Virtual servers
11.6.0 11.6.1
11.5.0 - 11.5.3 11.5.4
11.3.0 - 11.4.1 11.4.1 HF10
11.0.0 - 11.2.1
BIG-IP APM 12.0.0 12.0.0 HF1 Severe Virtual servers
11.6.0 11.6.1
11.5.0 - 11.5.3 11.5.4
11.3.0 - 11.4.1 11.4.1 HF10
11.0.0 - 11.2.1
10.1.0 - 10.2.4
BIG-IP ASM 12.0.0 12.0.0 HF1 Severe Virtual servers
11.6.0 11.6.1
11.5.0 - 11.5.3 11.5.4
11.3.0 - 11.4.1 11.4.1 HF10
11.0.0 - 11.2.1
10.1.0 - 10.2.4
BIG-IP DNS 12.0.0 12.0.0 HF1 Severe Virtual servers
BIG-IP Edge Gateway 11.3.0 11.0.0 - 11.2.1 Severe Virtual servers
10.1.0 - 10.2.4
BIG-IP GTM 11.6.0 11.6.1 Severe Virtual servers
11.5.0 - 11.5.3 11.5.4
11.3.0 - 11.4.1 11.4.1 HF10
11.0.0 - 11.2.1
10.1.0 - 10.2.4
BIG-IP Link Controller 12.0.0 12.0.0 HF1 Severe Virtual servers
11.6.0 11.6.1
11.5.0 - 11.5.3 11.5.4
11.3.0 - 11.4.1 11.4.1 HF10
11.0.0 - 11.2.1
10.1.0 - 10.2.4
BIG-IP PEM 12.0.0 12.0.0 HF1 Severe Virtual servers
11.6.0 11.6.1
11.5.0 - 11.5.3 11.5.4
11.3.0 - 11.4.1 11.4.1 HF10
BIG-IP PSM 11.3.0 - 11.4.1 11.4.1 HF10 Severe Virtual servers
11.0.0 - 11.2.1
10.1.0 - 10.2.4
BIG-IP WebAccelerator 11.3.0 11.0.0 - 11.2.1 Severe Virtual servers
10.1.0 - 10.2.4
BIG-IP WOM 11.3.0 11.0.0 - 11.2.1 Severe Virtual servers
10.1.0 - 10.2.4
ARX None 6.0.0 - 6.4.0 Not vulnerable None
Enterprise Manager 3.0.0 - 3.1.1 None Low Virtual servers*
FirePass None 7.0.0 Not vulnerable None
6.0.0 - 6.1.0
BIG-IQ Cloud 4.0.0 - 4.5.0 None Low Virtual servers*
BIG-IQ Device 4.2.0 - 4.5.0 None Low Virtual servers*
BIG-IQ Security 4.0.0 - 4.5.0 None Low Virtual servers*
BIG-IQ ADC 4.5.0 None Low Virtual servers*
BIG-IQ Centralized Management 4.6.0 None Low Virtual servers*
BIG-IQ Cloud and Orchestration 1.0.0 None Low Virtual servers*
LineRate None 2.5.0 - 2.6.1 Not vulnerable None
F5 WebSafe None 1.0.0 Not vulnerable None
Traffix SDC None 4.0.0 - 4.4.0 Not vulnerable None
3.3.2 - 3.5.1
*Although the BIG-IQ and Enterprise Manager software contains the
vulnerable code, these products do not expose virtual server objects,
or use the vulnerable code in a way that exposes the vulnerability in a
standard configuration.
Vulnerability Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Versions known to be not vulnerable column. If the table lists only
an older version than what you are currently running, or does not list a
non-vulnerable version, then no upgrade candidate currently exists.
F5 responds to vulnerabilities in accordance with the Severity values
published in the previous table. The Severity values and other security
vulnerability parameters are defined in SOL4602: Overview of the F5 security
vulnerability response policy.
Identifying log messages relevant to the vulnerability
The primary means of identifying the vulnerability is by locating the
relevant log messages in the /var/log/ltm file. For the HSB lockup to occur,
the system must be operating in Syncookie mode. Therefore, you should look
for two logs in proximity.
First, you should see a log message indicating that the Syncookie
threshold was exceeded. The message appears similar to the following
example:
warning tmm[PID]: 01010038:4: Syncookie threshold 1993 exceeded,
virtual = 10.11.12.13:443
Note: The actual threshold value will vary.
Second, you should see an HSB lockup message. The message appears
similar to the following example:
crit tmm[PID]: 01230111:2: Interface 0.1: HSB DMA lockup on transmitter
failure.
Note: The lockup by itself is not necessarily indicative of this
vulnerability, as other issues may produce the same log message. However,
if both the platform and software version are within the vulnerable
set as indicated above, presence of the error messages may indicate
exposure to the vulnerability.
Mitigating the vulnerability
F5 strongly encourages you to upgrade to a fixed release to mitigate this
issue. However, if you are unable to upgrade at this time, contact F5
Technical Support to obtain an iRule mitigation.
Supplemental Information
SOL9970: Subscribing to email notifications regarding F5 products
SOL9957: Creating a custom RSS feed to view new and updated documents
SOL4918: Overview of the F5 critical issue hotfix policy
SOL167: Downloading software and firmware from F5
SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVzK75n6ZAP0PgtI9AQLzHA/+MmAvBUdR8SJUPWTkUx1UFSDufaCT+aIV
/i63jR5eLw+DWTb/hzIWq7Hci6Poy+9N4nQGKz8MQ3qhIElmsMq9tWWh2PzoJttK
2Y09wpBpFPuIiDMFeafEnsoZ6UFiBgwZUgvZTul/vtfJYaOiV46DYD3VsINS8tVu
WwxdP91rZwq/3MkUOBB3BvgUiiZKVA3hUTk5cx+vqlgqXFnvTVx7YQj8LQMJr4xN
nJ8Yc5jHoa8xkfsRQJGv2RrqWMz7c7BYmHYwt6+4VSUvfj2VTjBqSQQnIhT1xxoF
jrx+SKUBlB0zPx7s3gkgBGwu5aFakaXgppRIjkU6mo3wLpwSxl0skhBGjvWi2wXE
s6cKVn/z/knYEMXWzTncjhKU5yGDVbr0R/vqfldzPwvM9SYaJ8kt7ak9x+D0m8WR
cg1zf9KRzY0YuLvXcxWpY9YPz12i5daAD7gJ9x6xSk8QJ5bC0J0r+E7DC3hNYWft
N7VJmfnwByGKgbpaha4ZpoTtZF0gizxnMHIf5facPQ304vgpUg+7Uobz73+GmkLU
IiqMUycBZHByjYhQMywQ1/6m2h3hGIB5s66RaAG1JMRnsBESlixVaLeJjJ1syV/U
LsKBVZKAWThui2Ej7/1YnPtpz9BQUN2kMfxJYpIhzAhCyOdV2XsBnYacev0X2qpt
ShrlzA0T6NU=
=Kg+r
-----END PGP SIGNATURE-----